New PCI Standards for New Ways of Building Software

This post explains how the PCI Security Standards Council has introduced its new PCI Software Security Framework to align PCI with modern software development and deployment practices such as DevOps, microservices, and containers.The Payment Card Industry Data Security Standard (more commonly known as PCI DSS) has been a standard for organizations that handle credit cards since its introduction in 2004. Just to put that date into perspective, 2004 was also the year that Facebook was launched! The standard has been updated numerous times, but even the last major update was way back in 2013. Docker had just been introduced at PyCon in March 2013. And Kubernetes was nothing more than an obscure nautical term known only to scholars of ancient Greek — the software was still more than a year off.

Every major modern trend in how we build and operate software — Agile, DevOps, continuous delivery, containers, serverless — came about after PCI DSS. New ways of creating value with software exist, so new ways of assessing their security are needed as well. Fortunately, the PCI Security Standards Council has recognized this, too, with the introduction of the new PCI Software Security Framework which will eventually replace PCI DSS when it expires in 2022.

The new Framework consists of two new standards that address similar issues, but from different perspectives:

These new standards aim to align PCI with modern software development practices. They are built around “objective-focused security practices” that will work with both traditional and evolving application development and deployment approaches.

The PCI Secure Software Standard, like the current PA-DSS (Payment Application Data Security Standard), is all about the confidentiality and integrity of payment data. This is intended for payment software that is sold, distributed, or licensed to a third party. While the requirements don’t apply to “in-house software,” the good security practices described can be beneficial for any type of application. The PCI Secure SLC Standard focuses on security requirements and assessment procedures throughout the entire software lifecycle — and we know that in a modern cloud-native world, that’s a fast moving lifecycle. The standards cover topics including threat identification, vulnerability detection and mitigation, and security testing. The Framework covers assessment procedures and test requirements throughout.

Even if you don’t fall under PCI requirements in your own business, these standards are worth a look. The requirements describe good secure software development practices that should be the norm, regardless of your industry. Think how good your customers will feel if you can tell them that you treat their personal data with the same care that is applied to financial data in the payment card industry!

At Threat Stack, we’re very excited to see the PCI standards catch up with modern application and software development practices. As experts in full stack security observability from the control plane to the application layer, we agree that a focus on continuous monitoring and testing — which is a central theme in the new standards — is critical to business success. IAST (interactive application security testing) and SCA (software composition analysis) are called out specifically in the Secure Software Standard; good news for organizations (like us) who believe that security needs to “stretch left” and address application security early in the software development life cycle.

Watch for more content from Threat Stack on this topic in the future. We look forward to continuing to help you operate securely in the cloud with payment systems, and everything else that makes your company succeed in the digital economy.

If you’re interested in learning more about how Threat Stack’s experts can help with your security and compliance requirements, feel free to sign up for a demo.